Unexpected behavior of Set-SecureBootUEFI with the -ContentFilePath parameter

Copper Contributor

I'm using the following 3 commands to add a new key to my Secure Boot db:

$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -ContentFilePath .\FormattedContent.bin -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
Set-SecureBootUEFI -ContentFilePath .\FormattedContent.bin -SignedFilePath GeneratedFileToSign.bin.p7


The first two commands succeeds but Set-SecureBootUEFI unexpectedly produces the following prompt:

Supply values for the following parameters:
Name: 


Shouldn't it be able to obtain the name from FormattedContent.bin? This behavior isn't described anywhere in the documentation and is contrary to the behavior shown in example 2 where the command succeeds without any further prompt.
I entered "db", and then it prompted:

Time: 


Again this should have been obtained from `FormattedContent.bin`, and the behavior isn't documented anywhere.

When I repeated everything in the same session with a slight modification, Set-SecureBootUEFI succeeds immediately:

$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";$ObjectFromFormat=Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
$ObjectFromFormat | Set-SecureBootUEFI -SignedFilePath GeneratedFileToSign.bin.p7


The only different between the two sets of commands is that the first outputs the formatted data to a file which is then supplied as a parameter to Set-SecureBootUEFI while the second outputs the formatted data to a PowerShell object which is then piped to Set-SecureBootUEFI. Functionally both are identical and it is puzzling why they have different behavior.

1 Reply
It appears that the behavior you are experiencing with the Set-SecureBootUEFI cmdlet is unexpected and not documented. In general, PowerShell cmdlets are designed to work with pipeline input, so it should be possible to pipe the output of Format-SecureBootUEFI directly to Set-SecureBootUEFI without the need for additional prompts.

One possible explanation for the behavior you are observing is that the format of the output from Format-SecureBootUEFI is different when it is written to a file versus when it is output as a PowerShell object. It's possible that the file format includes additional information that allows Set-SecureBootUEFI to automatically determine the name and time parameters, while the PowerShell object format does not.

Without more information about the specific implementation of the cmdlets and their interaction with the Secure Boot system, it's difficult to provide a definitive answer. However, you may want to consider filing a bug report or support request with the provider of the Secure Boot PowerShell module to report this unexpected behavior